SaaS security risks must be addressed - Information Security Magazine

SaaS security risks must be addressed

The lure of software-as-a-service is simple: It comes down to cold hard cash.

So in this economic environment, it comes as no surprise that organizations, large and small, are looking to SaaS providers to offer them services where they pay for infrastructure or expertise on a monthly basis.

Salesforce.com is the poster child for the SaaS space offering hosted CRM. Other business applications using the SaaS model include HR, expense reporting and the like. We've seen SaaS models also pop up in the security space with Qualys, Webroot, Google, Veracode, Zscaler, Purewire , among others, offering security services ranging from messaging security to vulnerability assessment to application security testing. With huge data centers, Amazon and Google rent their capacity on a by-job basis.

It seems to me that in a relatively short amount of time this will be the way we use computing power and access applications. It will radically change the ways businesses operate -- much like what Web browsers and email did in the 1990s.

And you've got to adapt. You'll have no choice. So the time is now to look at the

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

security and regulatory implications of these types of services and get ahead of a wave that seems almost inevitable.

The reason SaaS works at the lower price points is because they can host multiple customers on a shared infrastructure. And it's just this type of architecture could be very troubling for a security team. As a security manager, you have to insert yourself into the conversation and lay out a few necessary requirements.

The first must be clear separation of customer data. In addition, you need to determine whether you can get access to logging and audit trails for both compliance and security should an incident occur. Moreover, determine how secure are their Web applications? And what about insider threats at the provider's facility? What are your provider's access controls? How does your provider handle breaches or other insider threats?

Add in government and industry regulations and you've got a lot to muddle through.

But thankfully there is lots of time for discussion and fixes. The market is relatively new and many of these questions will need to be hashed out. It is your job as users of these services to force the SaaS providers to offer you the adequate answers you need.

It will take time but as other technologies before this, the industry, and security practitioners, will come up with a way to make it work.

Kelley Damore is Editorial Director of Information Security and TechTarget's Security Media Group. Send your comments on this column to feedback@infosecuritymag.com.

This was first published in April 2009